Just announced, the Federal Trade Commission (“FTC”) has suspended enforcement of the Red Flags Rule for a third time, resulting in a new compliance date of November 1, 2009, which is an additional three month delay from the most recent compliance date of August 1, 2009 (see May 1, 2009 edition of the WER). According to the FTC, this suspension will provide creditors, particularly small businesses and entities with a low risk of identity theft, with more time to understand their obligations under the Red Flags Rule and to develop and implement identity theft prevention programs. During this additional three month delay, the FTC has stated that it will redouble its efforts to educate small businesses regarding compliance with the Red Flags Rule and provide additional resources and guidance to clarify which businesses are covered by the Rule and what they must do to comply. The FTC intends to make available additional compliance guidance, including the creation of a special link for small and low-risk entities on the FTC Red Flags Rule web site, www.ftc.gov/redflagsrule, with compliance materials and further direction regarding the Rule. The FTC recently posted FAQs that address how the FTC intends to enforce the Rule.

The FTC will forebear from bringing any enforcement action for violation of the Rule during this additional three-month extension period. The FTC’s announcement, however, makes clear that the extension applies only to entities subject to the FTC’s jurisdiction and does not affect the other agencies charged with overseeing enforcement of this Rule: the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, Office of Thrift Supervision, and the National Credit Union Administration.

The Red Flags Rule resulted from the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act, and requires covered entities to develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft. The FTC explained that many entities subject to the Rule were uncertain about their coverage under the Red Flags Rule. During the previous two extension periods, the FTC conducted outreach efforts and developed and published materials on its Red Flags Rule web site to assist companies in complying with the Rule.

This is one in a series of advisories regarding “Red Flags Rules”. If you have questions or would like copies of previous advisories related to this topic, please contact David AnthonyTroutman Sanders LLP offers a full array of services to help bring companies into compliance with the Red Flags Rule.